yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2060916] Re: [RFE] Add 'trusted_vif' field to the port attributes

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2060916@xxxxxxxxxxxxxxxxxx>
Date: Fri, 06 Sep 2024 01:27:52 -0000
Reply-to: Bug 2060916 <2060916@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/926068
Committed: https://opendev.org/openstack/neutron/commit/104cbf9e60001329968bcab2e6d95ef38168cbc5
Submitter: "Zuul (22348)"
Branch:    master

commit 104cbf9e60001329968bcab2e6d95ef38168cbc5
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Fri Aug 9 16:47:04 2024 +0200

    Add trusted vif api extension for the port
    
    This patch adds implementation of the "port_trusted_vif" API extension
    as ml2 extension.
    With this extension enabled, it is now possible for ADMIN users to set
    port as trusted without modifying directly 'binding:profile' field
    which is supposed to be just for machine to machine communication.
    
    Value set in the 'trusted' attribute of the port is included in the
    port's binding:profile so that it is still in the same place where e.g.
    Nova expects it.
    
    For now setting this flag directly in the port's binding:profile field
    is not forbidden and only warning is generated in such case but in
    future releases it should be forbiden and only allowed to be done using
    this new attribute of the port resource.
    
    This patch implements also definition of the new API extension directly
    in Neutron. It is temporary and will be removed once patch [1] in
    neutron-lib will be merged and released.
    
    [1] https://review.opendev.org/c/openstack/neutron-lib/+/923860
    
    Closes-Bug: #2060916
    Change-Id: I69785c5d72a5dc659c5a2f27e043c686790b4d2b


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2060916

Title:
  [RFE] Add 'trusted_vif' field to the port attributes

Status in neutron:
  Fix Released

Bug description:
  Currently 'trusted=true' can be passed to Neutron by admin user
  through the port's "binding:profile" field but this field originally
  was intended to be used only for the machine-machine communication,
  and not to be used by any cloud user. There is even info about that in
  the api-ref:

  "A dictionary that enables the application running on the specific
  host to pass and receive vif port information specific to the
  networking back-end. This field is only meant for machine-machine
  communication for compute services like Nova, Ironic or Zun to pass
  information to a Neutron back-end. It should not be used by multiple
  services concurrently or by cloud end users. The existing
  counterexamples (capabilities: [switchdev] for Open vSwitch hardware
  offload and trusted=true for Trusted Virtual Functions) are due to be
  cleaned up. The networking API does not define a specific format of
  this field. ..."

  
  This will be even worst with the new S-RBAC policies where "binding:profile" field is allowed to be changed only for the SERVICE role users, not even for admins.

  So this small RFE is proposal to add new API extension which will add
  field, like "trusted_vif" to the port object. This field would be then
  accesible for ADMIN role users in the Secure-RBAC policies.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2060916/+subscriptions

References

[Bug 2060916] [NEW] [RFE] Add 'trusted_vif' field to the port attributes
From: Slawek Kaplonski, 2024-04-11